Prefer a phone call? Call HARFT AI live at +1 (832) 847-7198

HARFTAI

Data Processing Addendum

Standard data processing terms for HARFT AI customers. Governs HARFT's processing of personal data on behalf of business customers.

Last updated: June 1, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between HARFT AI ("Processor," "HARFT," "we," or "us") and the business entity that subscribes to or uses HARFT services ("Controller," "Customer," or "you").

This DPA applies when HARFT processes personal data on behalf of Customer in connection with AI receptionist, customer support, workflow automation, and related services.

This DPA is designed for enterprise-friendly review and aligns with common processor obligations under U.S. state privacy laws and GDPR-style frameworks where applicable. Enterprise customers may request a countersigned copy by contacting security@harft.ai.

Definitions

  • "Personal Data" means information relating to an identified or identifiable individual that Customer submits to or processes through the Services.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Controller" means the entity that determines the purposes and means of Processing Personal Data (typically the Customer).
  • "Processor" means HARFT AI, which Processes Personal Data on behalf of the Controller.
  • "Subprocessor" means a third party engaged by HARFT to Process Personal Data.
  • "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • "Services" means HARFT AI products and services governed by the underlying agreement (Terms of Service, MSA, or Order Form).

Roles of Controller and Processor

Customer is the Controller (or an authorized processor acting on behalf of a Controller) for Personal Data it provides to HARFT, including end-user call data, CRM records, and workflow content.

HARFT acts as a Processor, Processing Personal Data only on documented instructions from Customer, except where required by applicable law.

HARFT may Process aggregated and de-identified data that does not identify individuals for service improvement, security, and analytics, provided such data cannot reasonably be re-identified.

Processing Instructions

HARFT will Process Personal Data only to:

  • Provide, maintain, and support the Services as described in the agreement
  • Execute Customer-configured workflows, AI agents, and integrations
  • Comply with Customer's documented instructions sent through the platform or support channels
  • Comply with applicable law (in which case HARFT will inform Customer unless prohibited)

Customer instructions

Customer is responsible for ensuring its instructions comply with applicable data protection law and that it has obtained all necessary consents and notices for Processing (including call recording and SMS consent where required).

Security Measures

HARFT implements technical and organizational measures designed to protect Personal Data, including controls aligned with SOC 2 Trust Service Criteria as part of HARFT's SOC 2 Readiness Program. HARFT has not yet completed an independent SOC 2 audit.

Security measures include:

  • Multi-factor authentication (MFA) for administrative and production access
  • Encryption in transit (TLS 1.2+) and encryption at rest (AES-256)
  • Role-based access control (RBAC) with organization-scoped tenant isolation
  • Audit logging of authentication, administrative actions, and API access
  • Documented incident response and business continuity procedures
  • Vendor security assessments for subprocessors processing Personal Data

Security documentation

Upon request, HARFT will provide reasonable security documentation (such as policy summaries and architecture overviews) to support Customer's vendor assessments. Detailed internal policies are available under NDA for enterprise customers.

Subprocessor Disclosures

Customer authorizes HARFT to engage Subprocessors to support the Services. HARFT maintains a current list of Subprocessors that Process Personal Data:

Infrastructure and platform

  • Microsoft Azure — cloud hosting, databases, and object storage
  • Cloudflare — CDN, DNS, WAF, and edge security

AI and communications

  • OpenAI — LLM inference for conversational AI, document processing, and workflow automation
  • Telnyx — voice communications, SMS, and telephony infrastructure

Payments and identity

  • Stripe — payment processing (billing data only; HARFT does not store raw card numbers)
  • Clerk — customer portal and admin authentication (where enabled)
  • Microsoft Entra ID — corporate identity and administrative access

Subprocessor changes

HARFT will notify Customer of material Subprocessor changes via email or account notification. Customer may object on reasonable data protection grounds within thirty (30) days. If the parties cannot resolve the objection, Customer may terminate affected Services.

International Transfers

Personal Data is primarily processed and stored in the United States. If Customer requires data residency in a specific region, this must be agreed in writing before deployment.

Where Personal Data is transferred internationally, HARFT will implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms where required by applicable law.

Data Subject Rights

HARFT will assist Customer in responding to requests from data subjects exercising rights under applicable privacy law (access, correction, deletion, portability, restriction, and objection), to the extent such rights apply to Processing under this DPA.

Customer is responsible for verifying data subject identity and determining the appropriate response. HARFT will respond to Customer's documented requests within commercially reasonable timeframes.

Data subjects should contact Customer directly. Customer may forward requests to privacy@harft.ai for HARFT's assistance.

Breach Notification Process

HARFT will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a confirmed Security Incident affecting Customer Personal Data.

Notification will include, to the extent known: nature of the incident, categories of data affected, likely consequences, and measures taken or proposed. HARFT will cooperate with Customer's investigation and regulatory notification obligations.

Security incidents may be reported to security@harft.ai.

Data Deletion Obligations

Upon termination or expiration of the Services, HARFT will delete or return Customer Personal Data per Customer's written instructions and the Data Retention Policy, within thirty (30) days unless longer retention is required by law.

Backup copies containing Personal Data will be deleted on their normal rotation schedule (maximum ninety (90) days) unless legally required to retain.

Customer may request deletion at any time during the term via privacy@harft.ai or through account settings where available. Deletion requests are subject to identity verification and contractual obligations.

Audits and Compliance

HARFT will make available information necessary to demonstrate compliance with this DPA, including responses to reasonable security questionnaires.

Upon written request and subject to confidentiality, Customer may conduct or commission one audit per year (or review HARFT's future SOC 2 report when available). Audits must not unreasonably disrupt HARFT operations and are at Customer's expense unless a material breach is confirmed.

Order of Precedence

If there is a conflict between this DPA and the main agreement, this DPA controls with respect to data protection. If Customer and HARFT have executed a custom DPA or MSA with data protection terms, the signed document controls.

Contact

DPA and data protection inquiries:

  • Privacy: privacy@harft.ai
  • Security: security@harft.ai
  • Trust Center: https://harftai.com/trust
Talk to Ali AIBook Strategy Call
Talk to Ali AI